Premera, Anthem breaches probably espionage, expert says

Attackers who compromised personal data of about 11 million customers of healthcare provider Premera were likely after intelligence about groups or individuals, not cashing in on the information, even though it has enormous market value, experts say.

Indications are that the attack and a similar one at Anthem disclosed earlier this year were perpetrated by the same group that likely has ties to the government of China, which isn't looking for a monetary payday, says Ben Johnson, chief security strategist for Bit9+CarbonBlack.

Neither victim corporation has said whether the data was stolen or merely exposed, but it but it seems the attackers were after information about individuals or groups of individuals, says Rich Barger, chief intelligence officer for Threat Connect, which has pieced together third-party data about the breaches. Both Anthem and Premera are Blue Cross/Blue Shield firms that serve many U.S. government employees, including U.S. military.

Johnson says there are enough indicators to conclude it's the same actor. "It's relatively safe to say it's the same group," he says. Tool signatures, domain names, the timeframe of the attacks and the similarity of the targets all point to one actor, likely Chinese and likely government affiliated.

Others disagree and point to the money motive. "Medical records are rich in information that can be used for profitable health care fraud as well as all the traditional scams that stolen data has powered," says Jonathan Sander, strategy and research officer for STEALTHbits Technologies.

The attackers may have been looking for information on a small group or even an individual, but took more just because they could or to mask who their actual target was, says Johnson. "If I were in the attackers' shoes... I would probably dump the whole database so you don't know who I'm looking for or looking at," he says.

Since the same tools, infrastructure and timeframe link these two attacks to one against defense contractor VAE and the U.S. Office of Personnel Management, it is likely the attackers were looking at U.S. government employees or those affiliated with the U.S. military. "To say it's exactly the same warm body behind the keyboard is very difficult," says Barger, but it's very likely the same organization is directing all the activities.

That the Anthem and Premera breaches were discovered on the same date -- Jan. 29 - "is an unlikely coincidence," says Johnson. The healthcare community and the FBI and others could have been involved in a larger investigation that came together that day. "I believe one was discovered and others were told to go check," he says.

His advice to health insurers is to look for similar compromises. He says he was shocked when Home Depot was hit last year by cyber thieves stealing credit card data so soon after a major theft from Target. "If I were a retailer I would have looked at every byte on my network," he says. "Health insurers should be looking now."

Insurers need to work with each other to build a more comprehensive picture of what they are dealing with and prioritize threats. "I wouldn't try to go figure it out alone," Barger says. Cooperation and sharing intelligence is a must. "We're all in the same boat and we should start acting like it."

Johnson rates the attackers' skills at 8 on a scale of 10. "You have to be pretty good to do this," he says.

Right now malware from these attackers is probably on systems that people think are not touched and that won't expose themselves by trying to communicate out for another year. "That's what I'm worried about," he says.

And health care enterprises aren't the only targets. Any business doing business with a target is also a target that could be used as a jumping off point to infiltrate the main objective's network, Johnson says.

"I don't believe this is the end," he says. "Other companies are finding out right now [that they are breached] or not, but they are. There was nothing extra vulnerable about Anthem or Premera."

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.